11 Pro Tips for OAuth 2.0 Pentesting

Cristi Vlad
3 min readOct 7, 2024

--

To build on the AI podcast based on RFC 6819 I recently posted, here are 11 specific tips for pentesters when dealing with OAuth 2.0:

1. Identify and exploit hardcoded secrets in source code

Look for client secrets directly in the application’s source code, especially in open-source projects or accidentally exposed repositories. Secrets stored in code are easy targets for attackers. [Section 4.1.1]

2. Target deployment-specific client secrets

If secrets are not deployment-specific, gaining access to one can potentially compromise multiple deployments. Attackers should look for poorly managed deployments where secrets are reused. [Section 4.1.1]

3. Locate insecure storage for refresh tokens

On native applications, refresh tokens might be improperly stored in local storage without adequate security. Attackers can exploit weak or unsecured storage to obtain long-lived tokens. [Section 4.1.2]

4. Exploit long-lived access tokens

If access tokens are not short-lived or refresh tokens are not rotated, attackers can leverage a compromised token for prolonged access. Look for implementations that do not enforce these security measures. [Section 5.1.5.3, 5.2.2.3]

5. Exploit improperly validated redirect URIs

If redirect URIs are not strictly validated against pre-registered URIs, attackers can use open redirector attacks to steal authorization codes or tokens. Manipulate the redirect URI to point to an attacker-controlled endpoint. [Section 4.1.5]

6. Bypass weak client authentication

Weak authentication methods, such as plaintext client credentials sent over the network, are vulnerable to interception. Attackers can exploit these weaknesses to impersonate clients. Look for missing encryption or non-secure transport mechanisms. [Section 4.3.3]

7. Phishing attacks on end users

Users unaware of phishing risks may not verify the authenticity of authorization requests. Attackers can create counterfeit authorization servers to harvest user credentials. [Section 4.2.1]

8. Exploit missing ‘state’ parameter for CSRF

If the ‘state’ parameter is not used or improperly implemented, attackers can execute cross-site request forgery attacks to hijack authorization flows. Look for missing state checks to exploit. [Section 3.6, 4.4.1.8]

9. Leverage clickjacking vulnerabilities

If authorization pages are allowed to be loaded in iframes, attackers can use clickjacking techniques to trick users into performing unintended actions, such as authorizing malicious requests. [Section 4.4.1.9]

10. Intercept tokens without TLS

Lack of transport layer security (TLS) makes tokens and client credentials vulnerable to interception. Attackers should target non-TLS protected endpoints to capture sensitive information. [Section 5.1.1]

11. Abuse excessive token scope and usage

Tokens with overly broad scopes or without usage limits provide attackers with greater access if compromised. Look for tokens that are granted more privileges than necessary and exploit them for broader access. [Section 5.1.5.1, 5.1.5.4]

Different prompting strategies have helped me extract these tips from the RFC. I’d encourage all offensive security professionals to dive deeper into this document because it’s a treasure trove of valuable insights, especially sections 4 and 5.

And of course, these tips should only be used in controlled environments where permission for pentesting has been granted.

--

--

No responses yet